chore: update zarf and uds (#33)

docs: Update README chore: add envoy filter to additional manifests chore: upgrade uds-core, gitlab, and confluence
defenseunicorns · Mar 8, 2024 · 8e9aeb6 · 8e9aeb6
1 parent bce5b7d
commit 8e9aeb6
Show file tree

Hide file tree

Showing 22 changed files with 78 additions and 4,126 deletions.
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
@@ -12,9 +12,9 @@ runs:
     - name: Install Zarf
       shell: bash
       # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
-      run: brew install defenseunicorns/tap/[email protected].1
+      run: brew install defenseunicorns/tap/[email protected].4
 
     - name: Install UDS CLI
       shell: bash
       # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/uds@0.7.0
+      run: brew install defenseunicorns/tap/uds@0.9.3
diff --git a/README.md b/README.md
@@ -17,10 +17,10 @@ Once the below [Prerequisites](#prerequisites) are met, these are the steps to d
 
 ### Prerequisites
 **Tools**:
-* [zarf version v0.32.1](https://github.com/defenseunicorns/zarf/tree/v0.32.1)
-- `sudo curl -sL https://github.com/defenseunicorns/zarf/releases/download/v0.32.1/zarf_v0.32.1_Linux_amd64`
-* [uds version v0.7.0](https://github.com/defenseunicorns/uds-cli/tree/v0.7.0)
-- `sudo curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/v0.7.0/uds-cli_v0.7.0_Linux_amd64`
+* [zarf version v0.32.4](https://github.com/defenseunicorns/zarf/tree/v0.32.4)
+- `sudo curl -sL https://github.com/defenseunicorns/zarf/releases/download/v0.32.4/zarf_v0.32.4_Linux_amd64`
+* [uds version v0.9.3](https://github.com/defenseunicorns/uds-cli/tree/v0.9.3)
+- `sudo curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/v0.9.3/uds-cli_v0.9.3_Linux_amd64`
 * (OPTIONAL) [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl)
 * (OPTIONAL) [helm](https://github.com/helm/helm)
 
@@ -99,7 +99,7 @@ These are the default bucket names. Gitlab allows you to add a suffix in your `u
 Deployment configuration is managed via a `uds-config.yaml` file in the deployment directory. Some values in the configuration will be sensitive, **we do not recommend checking this into source control in its entierty**. Best practice would involve either storing the configuration in an external secrets manager (like Vault), or managing deployments via CD and generating the config file dynamically at deploy time using CD managed secrets.
 
 For demonstration purposes, you can setup a local configfile as follows:
-* Copy an example configuration from [uds-config/uds-core-swf/dev-cluster/uds-config.yaml](uds-config/uds-core-swf/dev-cluster/uds-config.yaml) to your working directory
+* Copy an example configuration from [config/dev-cluster/uds-config.yaml](config/dev-cluster/uds-config.yaml) to your working directory
 * Update the config according to your environment taking care to set:
   * domain variables
   * certificate values

diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml
@@ -1,4 +1,4 @@
-# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.5.1/uds.schema.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.9.3/uds.schema.json
 kind: UDSBundle
 metadata:
   name: software-factory-nutanix
@@ -12,9 +12,9 @@ packages:
   # Zarf init
   - name: init
     repository: ghcr.io/defenseunicorns/uds-capability/rook-ceph/init
-    optional-components:
+    optionalComponents:
       - git-server
-    ref: v0.32.1-0.2.1
+    ref: v0.32.4-0.2.3
 
   # Namespace pre-reqs for swf capabilities
   - name: software-factory-namespaces
@@ -28,9 +28,28 @@ packages:
 
   - name: core
     # repository: ghcr.io/defenseunicorns/packages/uds/core
-    repository: ghcr.io/blancharda/uds-core-ish/core
-    ref: 0.12.0-upstream
+    repository: ghcr.io/defenseunicorns/uds-bundle-software-factory-nutanix/custom-uds-core/core
+    ref: 0.14.5-upstream
     overrides:
+      keycloak:
+        keycloak:
+          variables:
+            - name: KEYCLOAK_DB_USERNAME
+              description: "keycloak database username"
+              path: postgresql.username
+              default: "postgres"
+            - name: KEYCLOAK_DB_PASSWORD
+              description: "keycloak database password"
+              path: postgresql.password
+              default: "replace-me"
+            - name: KEYCLOAK_DB_NAME
+              description: "keycloak database name"
+              path: postgresql.database
+              default: "keycloakdb"
+            - name: KEYCLOAK_DB_ENDPOINT
+              description: "keycloak database name"
+              path: postgresql.host
+              default: "postgresql"
       loki:
         loki:
           values:
@@ -75,47 +94,12 @@ packages:
             - name: TENANT_TLS_KEY
               description: "The TLS key for the tenant gateway (must be base64 encoded)"
               path: tls.key
-
 
-  # legacy requirements of DUBBD like flux (TODO -- remove someday)
-  - name: dubbd-legacy-reqs
+  # Additional manifests needed
+  - name: additional-manifests
     path: ../../build
     ref: 0.0.1
 
-  # Change the realm file keycloak imports from
-  - name: software-factory-idam-realm
-    path: ../../build
-    ref: 1.0.1
-    optional-components:
-      - exported-variables
-    exports:
-      - name: REALM_IMPORT_FILE
-
-  # Identity and Access Management
-  - name: keycloak-database-manifests
-    path: ../../build
-    ref: 0.0.1
-
-  - name: uds-idam
-    repository: ghcr.io/defenseunicorns/uds-capability/uds-idam
-    ref: 0.2.0-amd64
-    imports:
-      - name: REALM_IMPORT_FILE
-        package: software-factory-idam-realm
-
-  # SonarQube SSO secret and variables
-  - name: software-factory-idam-sonarqube
-    path: ../../build
-    ref: 1.0.1
-    exports:
-      - name: SONARQUBE_IDAM_ENABLED
-      - name: SONARQUBE_IDAM_CLIENT_ID
-      - name: SONARQUBE_IDAM_PROVIDER_NAME
-      - name: SONARQUBE_IDAM_SAML_CERT
-      - name: SONARQUBE_IDAM_ATTR_LOGIN
-      - name: SONARQUBE_IDAM_ATTR_NAME
-      - name: SONARQUBE_IDAM_PROVIDER_EMAIL
-
   # Gitlab
   - name: gitlab-redis
     repository: ghcr.io/defenseunicorns/packages/uds/dev-redis
@@ -135,7 +119,7 @@ packages:
 
   - name: gitlab
     repository: ghcr.io/defenseunicorns/packages/uds/gitlab
-    ref: 16.8.1-uds.2-registry1
+    ref: 16.9.1-uds.1-registry1
     overrides:
       gitlab:
         gitlab:
@@ -181,21 +165,6 @@ packages:
   - name: sonarqube
     repository: ghcr.io/defenseunicorns/packages/uds/sonarqube
     ref: 8.0.3-uds.4-registry1
-    imports:
-      - name: SONARQUBE_IDAM_ENABLED
-        package: software-factory-idam-sonarqube
-      - name: SONARQUBE_IDAM_CLIENT_ID
-        package: software-factory-idam-sonarqube
-      - name: SONARQUBE_IDAM_PROVIDER_NAME
-        package: software-factory-idam-sonarqube
-      - name: SONARQUBE_IDAM_SAML_CERT
-        package: software-factory-idam-sonarqube
-      - name: SONARQUBE_IDAM_ATTR_LOGIN
-        package: software-factory-idam-sonarqube
-      - name: SONARQUBE_IDAM_ATTR_NAME
-        package: software-factory-idam-sonarqube
-      - name: SONARQUBE_IDAM_PROVIDER_EMAIL
-        package: software-factory-idam-sonarqube
 
   # Jira
   - name: jira-database-secret
@@ -229,7 +198,7 @@ packages:
 
   - name: confluence
     repository: ghcr.io/defenseunicorns/packages/uds/confluence
-    ref: 1.17.0-uds.1-registry1
+    ref: 1.17.0-uds.2-registry1
     overrides:
       confluence:
         confluence:
@@ -293,5 +262,5 @@ packages:
   - name: software-factory-idam-dns
     path: ../../build
     ref: 1.0.0
-    optional-components:
+    optionalComponents:
       - create-internal-dns-entries
diff --git a/.../uds-core-swf/dev-cluster/uds-config.yaml → config/dev-cluster/uds-config.yaml b/.../uds-core-swf/dev-cluster/uds-config.yaml → config/dev-cluster/uds-config.yaml
@@ -15,14 +15,10 @@ variables:
     ADMIN_TLS_KEY: replace-me-key
     TENANT_TLS_CERT: replace-me-cert
     TENANT_TLS_KEY: replace-me-key
-  keycloak-database-manifests:
-    KEYCLOAK_DB_EXTERNAL_NAME: "keycloak-pg.mtsi-dev.bigbang.dev"
-  uds-idam:
     KEYCLOAK_DB_USERNAME: "postgres"
     KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
     KEYCLOAK_DB_NAME: "keycloakdb"
-    KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
-    KEYCLOAK_VALUES: "our-keycloak-values.yaml"
+    KEYCLOAK_DB_ENDPOINT: "keycloak-pg.mtsi-dev.bigbang.dev"
   gitlab-database-secret:
     GITLAB_DB_PASSWORD: "replace-me-db-passwords"
   gitlab-object-store:
@@ -75,7 +71,6 @@ variables:
   sonarqube-database-secret:
     SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
   sonarqube:
-    SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi-dev.bigbang.dev/auth/realms/baby-yoda"
     # db config
     SONARQUBE_DB_NAME: "sonarqubedb"
     SONARQUBE_DB_USERNAME: "postgres"

diff --git a/...uds-core-swf/test-cluster/uds-config.yaml → config/test-cluster/uds-config.yaml b/...uds-core-swf/test-cluster/uds-config.yaml → config/test-cluster/uds-config.yaml
@@ -15,22 +15,16 @@ variables:
     ADMIN_TLS_KEY: replace-me-key
     TENANT_TLS_CERT: replace-me-cert
     TENANT_TLS_KEY: replace-me-key
-  keycloak-database-manifests:
-    KEYCLOAK_DB_EXTERNAL_NAME: "keycloak-pg.mtsi.bigbang.dev"
-  uds-idam:
     KEYCLOAK_DB_USERNAME: "postgres"
     KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
     KEYCLOAK_DB_NAME: "keycloakdb"
-    KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
-    KEYCLOAK_VALUES: "our-keycloak-values.yaml"
+    KEYCLOAK_DB_ENDPOINT: "keycloak-pg.mtsi.bigbang.dev"
   gitlab-database-secret:
     GITLAB_DB_PASSWORD: "replace-me-db-passwords"
   gitlab-object-store:
     ENDPOINT: "http://swf.objects.mtsi.bigbang.dev"
     ACCESS_KEY: "replace-me-object-store-access-key"
     SECRET_KEY: "replace-me-object-store-secret-key"
-  gitlab-redis:
-    APP: "gitlab"
   gitlab:
     GITLAB_DB_NAME: "gitlabdb"
     GITLAB_DB_USERNAME: "postgres"
@@ -77,7 +71,6 @@ variables:
   sonarqube-database-secret:
     SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
   sonarqube:
-    SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi.bigbang.dev/auth/realms/baby-yoda"
     # db config
     SONARQUBE_DB_NAME: "sonarqubedb"
     SONARQUBE_DB_USERNAME: "postgres"

diff --git a/packages/additional-manifests/manifests/envoy-filter.yaml b/packages/additional-manifests/manifests/envoy-filter.yaml
@@ -0,0 +1,26 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: envoy-filter-ingress-http2-options
+  namespace: istio-tenant-gateway
+spec:
+  workloadSelector:
+    labels:
+      istio: tenant-ingressgateway
+  configPatches:
+    - applyTo: NETWORK_FILTER
+      match:
+        context: GATEWAY
+        listener:
+          filterChain:
+            filter:
+              name: "envoy.filters.network.http_connection_manager"
+      patch:
+        operation: MERGE
+        value:
+          typed_config:
+            "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+            http2_protocol_options:
+              max_concurrent_streams: 100
+              initial_stream_window_size: 65536
+              initial_connection_window_size: 1048576
diff --git a/...cy-reqs/manifests/gitlab-ssh-gateway.yaml → ...nifests/manifests/gitlab-ssh-gateway.yaml b/...cy-reqs/manifests/gitlab-ssh-gateway.yaml → ...nifests/manifests/gitlab-ssh-gateway.yaml
diff --git a/...manifests/gitlab-ssh-networkpolicies.yaml → ...manifests/gitlab-ssh-networkpolicies.yaml b/...manifests/gitlab-ssh-networkpolicies.yaml → ...manifests/gitlab-ssh-networkpolicies.yaml
diff --git a/.../manifests/gitlab-ssh-virtualservice.yaml → .../manifests/gitlab-ssh-virtualservice.yaml b/.../manifests/gitlab-ssh-virtualservice.yaml → .../manifests/gitlab-ssh-virtualservice.yaml
diff --git a/packages/dubbd-legacy-reqs/zarf.yaml → packages/additional-manifests/zarf.yaml b/packages/dubbd-legacy-reqs/zarf.yaml → packages/additional-manifests/zarf.yaml
@@ -1,8 +1,8 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/v0.32.1/zarf.schema.json
 kind: ZarfPackageConfig
 metadata:
-  name: dubbd-legacy-reqs
-  description: "Installs Flux and some custom gitlab resources"
+  name: additional-manifests
+  description: "Installs additional needed manifests"
   architecture: "amd64"
   version: "0.0.1"
 
@@ -12,19 +12,6 @@ variables:
     default: "mtsi.bigbang.dev"
 
 components:
-  - name: install-flux
-    required: true
-    manifests:
-      - name: bb-flux
-        namespace: flux-system
-        kustomizations:
-          - https://repo1.dso.mil/big-bang/bigbang.git//base/flux?ref=2.19.1
-    images:
-      - registry1.dso.mil/ironbank/fluxcd/helm-controller:v0.37.1
-      - registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v1.2.1
-      - registry1.dso.mil/ironbank/fluxcd/notification-controller:v1.2.3
-      - registry1.dso.mil/ironbank/fluxcd/source-controller:v1.2.2
-
   - name: gitlab-ssh
     required: true
     manifests:
@@ -34,3 +21,9 @@ components:
           - manifests/gitlab-ssh-virtualservice.yaml
           - manifests/gitlab-ssh-networkpolicies.yaml
           - manifests/gitlab-ssh-gateway.yaml
+  - name: envoy-filter-tenant-ingress
+    required: true
+    manifests:
+      - name: envoy-filter-tenant-ingress
+        files:
+          - manifests/envoy-filter.yaml
diff --git a/packages/databases/keycloak/service.yaml b/packages/databases/keycloak/service.yaml
diff --git a/packages/databases/keycloak/zarf.yaml b/packages/databases/keycloak/zarf.yaml
diff --git a/packages/dubbd-legacy-reqs/zarf-config.yaml b/packages/dubbd-legacy-reqs/zarf-config.yaml
diff --git a/packages/idam-gitlab/gitlab-sso-demo.json b/packages/idam-gitlab/gitlab-sso-demo.json
diff --git a/packages/idam-gitlab/secret.yaml b/packages/idam-gitlab/secret.yaml